Tuesday 18 March 2008

PHORM - UPDATE

It would seem that the chorus of disapproval about the "targeted advertising scheme" (a cute euphemism for spyware that) developed by Phorm is gathering pace somewhat. There is this from The Register - for me a clear indication of how disingenuous, if not mendacious, BT are being about the product. And, as The Register reports here, FIPR (for the uninitiated, the Foundation of Information Policy Research) has written an open letter to the Information Commissioner outlining their concerns and maintaining that the scheme is illegal.

I note too Tim Berners-Lee's comments, reported here. I can't help feeling that this intervention is especially significant, essentially because it reaches beyond the narrow confines of the Phorm issue. He makes the crucial point about his data and web history that: "It's mine - you can't have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I'm getting in return." It will come as no surprise that I agree wholeheartedly with this. No doubt in common with Tim Berners-Lee I also believe that the principle should be applied to all data that is held about an individual wherever it is held, not just to their web-browsing history. But, as the law stands, it simply does not give effect to this. Ergo, returning to one of my more persistent themes, what is urgently required in the interests of both data privacy and data security is a radical overhaul of the current legal provision in this area to re-cast the law back in favour of the individual's data rights.

Monday 10 March 2008

DNA DATABASE DEBATE - UPDATE

This - from the Daily Telegraph - sparked my interest, not least because of my relatively recent blog about the DNA database (here).

Now I acknowledge that one has to be careful in making judgements about individual cases when one does not necessarily have all the details available. Nevertheless, even with that proviso, it is manifestly ludicrous and disproportionate that an individual should have his DNA and fingerprints entered on to the respective databases for the measly sum of £2.40 - which, according to the report he was going to pay anyway. Mr. Ahmad's explanation of his discomfiture at his treatment - "I don't want my DNA stored on the database because it implies I'm going to do something in the future. It feels like I have been tarred with the same brush as criminals." - is very much to the point. It demonstrates the uncomfortable transition from 'innocent' to 'suspect' citizen that is inherent in national/universal database schemes - and the seriousness of which, incidentally, is hugely difficult to understand or appreciate until such time as one has been subject to it. The case also underlines the way in which the Government's current policy - requiring DNA samples on the back of all recordable offences - could/would lead to an all-but universal database over time. One way or another, as more and more offences are added to the statute book and as more and more prosecutions are sought for what are essentially trivial reasons (dropping apple cores or what-have-you), it is getting increasingly difficult not to break the law!

I am reminded too that, in my previous post, I didn't make it entirely clear where I stand on this so I take this opportunity to tidy this up. Clearly I am vehemently opposed to any form of national/universal database. Rather I favour a threshold whereby prosecutions of recordable offences that result in convictions, together with arrests, whether or not resulting in conviction, for violent/sexual/serious crimes should require DNA samples to be taken and entered on the database. While this may be a tad difficult to draft accurately in law it strikes me as being the most proportionate way available to deal with the matter.

STRANGE/WARPED SENSE OF PRIORITIES

There was, for want of a better word, an 'interesting' juxtaposition of subjects in the House of Lords debates on the Criminal Justice & Immigration Bill last Wednesday.

Just short of 4.45pm the Lib Dem's Baroness Miller introduced amendment 129, the purpose of which - as recommended by the Information Commissioner and others - was to increase the current penalties for unlawfully obtaining data. Perhaps more importantly, amendments 146 (from the Lib Dems) and 148A (from the Conservatives) were coupled with this, both of which aimed at introducing the new offence - again recommended by the Information Commissioner - of "knowingly or recklessly causing the loss of personal data".

Now, as regular readers (if there are any) will now, I've blogged about this a fair few times in the past (e.g. here). I also reckon that, because it increasingly feeds into pretty much every aspect of all of our lives, this is the single most important policy area facing our legislators at the moment. With that in mind, I still hold to the view that, while undoubtedly the new offence is a stop-gap measure (until such time as our 'dear leaders' can get their heads round the imperative for a radical overhaul of the whole area of data privacy and security), it is nevertheless both urgent and essential in the short-term that the new offence appear on the statute book (if only, as it were, pour encourager les autres).

Having got that sales-pitch out of the way, what was the Government's response to these proposals? Well, reading between the lines of Lord Hunt's comments, it looks like they want to kick them into the long grass. Apparently the Government have run into serious difficulty with this particular Bill in that - I paraphrase here - they have to get it passed by mid-May at the latest in order to avert a strike by Prison Officers. As a result a bunch of shabby deals are being negotiated behind closed doors by the respective front benches to try and eliminate potential areas of conflict/controversy that might delay the Bill. One such clause touted for this process - Lord Hunt admitted it openly - are these data protection provisions. As Baroness Miller put it: "We have just debated a clause on self-defence that I heard the noble and learned Lord say is not really necessary and now the Government are considering dropping not that but a clause that the public really believe in." Bluntly this is no way to legislate.

Be that as it may, debate on this substantive and essential issue lasted for about 20-25 minutes. And in fact all the respective front-bench spokesmen (Baroness Miller, Lord Henley and Lord Hunt) opened their remarks with direct/indirect apologies for detaining the House from its next business. What subject was so important that, in their minds, it outweighed data protection and security? Why, the arcana of blasphemy of course!?! Debate on this went on for over two hours and culminated in a vote.

Now I'm sure the Lords are have considerable expertise in this field. And for sure it is a subject that attracts the interest of many of the members. Of course it's entirely up to them to decide what they think is important. So call me a cynical old goat if you will but I can't feeling that, as my title says, this demonstrates a decidedly strange, if not warped, sense of priorities amongst the Lords and Ladies. Surely in the world in which we live 'data privacy/security' versus 'blasphemy' is a no-brainer?

Wednesday 5 March 2008

PHORM "SPYWARE"

Should you be concerned about the security and privacy of the data on your computer/laptop and just in case you're a customer of British Telecom Retail, Virgin Media or Carphone Warehouse TalkTalk, you might want to take a look at this (from the ever-reliable SpyBlog), this and this (from The Register).

Even for those aren't especially techie-minded (including me), it is plain that the design of the Phorm web advertising scheme is no more than 'spy-ware', pretty sophisticated but 'spy-ware' nonetheless. At a pinch one could argue (just about) - as BT seem to be - that it is moot as to whether or not these Phorm-based schemes breach the provisions of RIPA. But, I reckon they're skating on decidedly thin legal ice here; for sure, if I were a BT lawyer, I'd be nervous about turning up in court trying to sustain such a position.

Obviously I can't speak for anyone else but it does strike me as the most abominable cheek that, just as we are justifiably fuming about the Government's utter contempt for and cavalier attitude about the security and privacy of our data, along come BT, Virgin, and Carphone Warehouse with this mendacious wheeze that demonstrates precisely the same sort of mind-set. Of course, this is in fact a major part of the problem. Because the Government is so contemptuous and cavalier about looking after our data, the private sector begins to think it can behave in the same way: a case almost of monkey is as monkey does. And that makes it all the more imperative that action be taken across the whole of Government to sort this out as a matter of urgency.

Will they do so?

Monday 25 February 2008

DNA DATABASE DEBATE

In the wake of the convictions of Stephen Wright, Mark Dixie and Levi Bellfield it was perhaps inevitable - if not predictable - that the thorny issue of a national DNA database would crop up, not just on the back of Det Supt Stuart Cundy's (personal) insistence that: "It is my opinion that a national DNA register - with all its appropriate safeguards - could have identified Sally Anne's murderer within 24 hours. Instead it took nearly nine months before Mark Dixie was identified, and almost two-and-a-half years for justice to be done." It is an assertion that is at once emotive (pandering to the earnest wish of us all that the the perpetrators of such vile crimes be brought to justice as speedily as possible), persuasive (on the face of it, 24 hours versus 9 months is an absolute no-brainer) and brave (especially for an individual who may well not be possessed of a great deal of expertise in the design and management of data systems).

Now I wouldn't want to be misunderstood here. No-one, least of all me, disputes that DNA analysis is a hugely important investigative tool for law enforcement agencies (although we should hold in our minds that it is a crime-solving rather than a crime prevention resource). But I cannot help feeling that Det Supt Cundy's assertion is at best moot and may even be both misleading and inaccurate (not least when, for example, it is measured against the 100 or so occasions on which the criminal activities of Levi Bellfield were reported to the police). Here the most important point to be aware of is that database systems are a technological resource, subject to certain innate physical properties and intractable rules. And one of the most fundamental of these, as Ross Anderson has sought to make abundantly clear for a very long time now, is that “You can have security, or functionality, or scale—you can even have any two of these. But you can’t have all three." Therefore, as sure as eggs is eggs, scaling up the DNA database to a national/universal level would have the inevitable effect of compromising either functionality or (more 'preferable' from the Government's point of view?) security.

On top of this we have to factor in not only the fact that the existing DNA database is populated with a fair degree of error already (from memory, something like half a million of the 4.5 or so million samples retained are estimated to have been mis-recorded on entry) but also that, like fingerprints, DNA analysis is not infallible. The point here is that, if the database were to be scaled up, these in-built errors would be magnified, perhaps even to the extent of undermining the value of the resource. In sum it doesn't necessarily follow that a whole-of-population database would, of itself, guarantee speedier investigative results. (Manifestly I have rather less hesitancy about this than that felt by Iain Dale in this post.)

Now, to be scrupulously fair, as Philip Johnston says in this article in the Daily Telegraph "Tony McNulty, the Home Office minister, was commendably quick to reject the calls for a universal DNA database," something which we need not necessarily have anticipated given the witlessness of some of his previous comments about ID cards and the NIR. Against that background, it is perhaps even more surprising that he has demonstrated an uncharacteristic degree of common sense in a number of his comments. He is spot on in maintaining that a national DNA database would not be a "silver bullet". He is spot on in identifying that it "would raise significant practical and ethical issues". He is spot on in saying that (as I imply above) "How to maintain the security of a database with 4.5m people on it is one thing, doing that for 60m people is another." In other words the Home Office wholly reject the idea of a national DNA database.


So far so good - and, honestly, like Philip Johnston, I commend and congratulate him for having put the Home Office's policy in this area into the public domain so concisely and so quickly. But, whilst I have no difficulty in giving him plaudits when they are due, I can't help feeling that he's managed to create a huge intellectual inconsistency for himself and the Government. You see, if we take these policy constraints on a national DNA database at face value, they in turn beg a hugely important question: what is the difference, qualitatively and quantitively between a national DNA database and the NIR or the NPfIT, &c?

The answer (a la Paul Daniels) is "Not a lot!" In fact, under the umbrella of the "Transformational Government" agenda (the proposition whereby the minutiae of every scrap of information held about an individual should be shared seamlessly across the whole of government), these databases are even more intrusive because, as a generality, they do not rely upon onward analysis for required data to be extracted from them. It would therefore be wholly legitimate to assume that, in the interests of consistency, the same policy constraints that the Government has identified in respect of a national DNA database (presumably this is what Tony McNulty's comments were intended to convey rather than a personal opinion) should be applied equally to their grandiose and misguided plans for ID cards, NPfIT, ContactPoint, &c. So, viewed logically, the Government's attitude about a national DNA database damns to hell and back their adherence to other national databases they have in the pipeline. To quote Tony McNulty's own words, the stark reality is that none of these would be a "silver bullet" to address the problems at which they are aimed, all of them "raise significant practical and ethical issues", and all of them fall foul of what could be called Anderson's Law, namely, "How to maintain the security of a database with 4.5m people on it is one thing, doing that for 60m people is another".

I know it's too much to hope for but the prospect of a little bit of joined-up government thinking here (i.e. Ministers being capable of recognising the equivalence between a national DNA database and other databases (both existing and proposed) within the Government's purview) wouldn't go amiss. Well, dreams are free. But I fear it ain't going to happen soon.

Friday 8 February 2008

MANIFESTO (UN)COMMITMENTS

I confess to having been a bit slow on the up-take about this. Nevertheless, in amongst the wholly legitimate reaction of the blogosphere (especially Trixy at Is There More to Life Than Shoes? for leading the story out but also Guido, Iain Dale, Dizzy, et al) to the Great Bottler's 'legal' prognostication that "Manifesto pledges are not subject to legitimate expectation", there sits another (potential) constitutional minefield which may well come back to haunt him.

Pretty much, the House of Lords considers itself still bound by the terms of the Salisbury Doctrine (excellent HoL library note here) - i.e. the House should not reject Government Bills brought from the House of Commons for which the Government has a mandate from the nation (aka manifesto commitments). But, if the executive (in the form of the Great Bottler) is sitting there saying that the promises it makes to the nation in the heat of the election battle are utterly meaningless, by extension the Salisbury Doctrine can no longer bite.

Interesting! I wonder how the red leather benches - particularly those of a constitutional and/or forensic temperament - are going to make sense of this, not least because, in terms, it looks as if the Great Bottler may have opened up the possibility of Government Bills being voted down in the Lords, legitimately, at 2nd Reading.

Friday 1 February 2008

HMRC ONLINE SYSTEM CRASH

OK, so this is no big surprise - especially given the Government's record for (in)competence over IT systems. And at least they have had the wit to extend the deadline for filing - no doubt thinking about the horrendous publicity they would receive on the back of the double standard revealed a few days ago.

In advance of any announcement as to what has caused the problem, current speculation (and conventional wisdom) is arguing in favour of a failure to build in to the system adequate capacity/scalability to cope with (inevitable) traffic peaks as the deadline approaches. No doubt this has been a contributory factor - it is a not uncommon problem with the Government's IT systems. But - call me an old softie or maybe I'm just being too optimistic - I'd like to believe it also has something to do with data security improvements to the site/system on the back of the HMRC fiasco. This may be just too incredible - and probably wouldn't be admitted to by Treasury spokjesmen in any event - but, if such an analysis is correct, it would imply that ad hoc attempts to retrieve an irretrievably 'broke' system are likely to cause more problems than they solve. In effect what may be necessary is a root-and-branch re-design/re-build of IT systems to guarantee that proper data security and capacity is built in from the get-go.

I don't doubt that this is an especially scary thought - in policy/financial/&c terms - for the Great Bottler and his team!!!

Tuesday 29 January 2008

BREAKDOWN OF TRUST (re DATA SECURITY)

Hot on the heels of their excellent "2007 International Privacy Rankings", those good people at Privacy International have published figures showing a huge collapse of public trust in the Government's ability to hold our personal data securely.

Of course, of itself, this isn't particularly surprising or startling news. In the wake of the HMRC fiasco and the steady and recurring drip of revelations about the failure of individual Departments to protect our data - following on from the scandalous breach of the loss/theft of an RN laptop, this from the Ministry of Justice is merely the latest cock-up that has come to light - I am surprised that anyone has any faith whatsoever in a presumption that the Government can demonstrate even a smidgeon of competence in this field. No, what makes PI's report interesting are two associated consequences/repercussions.

First, it would be naive to assume that this breakdown of trust will confine itself to our interactions with Government. As PI's text points out, it will inevitably leech into the broader context of e-commerce generally - that is to say in both the public and private sectors (something confirmed, at least in part, by the FSA's recent Financial Risk Outlook): "At this stage it is not a simple matter to predict the potential financial impact of such a trend, but it is quite possible that the economy's growth could be inhibited if trust in data security continues to erode. The cost could easily run into billions of pounds per year". With the UK/world economy looking ever-more flaky (post N.Rock, the credit crunch, et al), the timing of this could not be worse, especially in terms of the direction of the psychology of the market (as per recent stock market volatility being a function of a lack of confidence). As Simon Davies says, this makes it a matter of considerable urgency that the Government should get a grip on the means to re-establish trust as soon as possible - although, as this piece from Rosemary Jay at out-law.com makes plain, the prospect of this looks exceedingly remote. Failure to do so could have the unintended consequence of entrenching the downturn in the economy more deeply.

This leads to my second point. I would guess that, whatever their public utterances, the various Government Ministers who have some measure of responsibility in this field are in a blind panic - if not worse, much worse - as to how to retrieve the position. In fact I have it on good authority that they have even resorted to approaching various privacy advocates with whom they have been conducting something akin to open warfare vis a vis ID cards for suggestions/advice. This would be laughable if it wasn't so serious! But their blind adherence to the Government's perceived wisdom about data management/Transformational Government/&c (all that tripe) means that their minds are closed to any sensible suggestions that may come their way. In their current mindset, all that is left to them is to shift the deck-chairs on the Great Bottler's good ship Titanic.

So, dear reader, whoop-de-do, things are going to get worse before they get better, not only in terms of data security/management but also the economy. And I reckon that, in the current climate, the best thing to do is to hold on to that distrust for a while as the best way of riding out the twin storms of Government incompetence over data security and the economic downturn.

Monday 28 January 2008

ONE LAW FOR THEM ...

When one reads about this sort of thing, one really does wonder why our lords and masters find it so difficult to comprehend that we are so disengaged from the political process. It is a classic case (pace MPs' pension arrangements, salaries/expenses, &c) of them locking themselves in their ivory towers and assuming that the (idiot) general public can be subject to the full force of the law (with all its foibles, failings and flaws) while they sail blithely above it! So why should the security of the personal data of the general masses be less robust than that of anyone who lays claim to so-called 'celebrity' status? As Mark Wallace of the Taxpayers' Alliance says, it "is a completely unacceptable double standard." Bear in mind too that the same sort of procedure is built in to the ContactPoint database - as I understand it, the personal details of the chidren of parents accorded 'celebrity' status are afforded similar 'extra security measures' on the database.

In fact, in statutory terms, these sorts of arrangements could well be challengeable on the basis of hybridity. There is a general presumption that the law should treat all citizens as equal and that putative special categories of individuals should not be singled out for preferential treatment under it, as seems to be the case here. That said, I'm uncertain what the appropriate means of redress would be in these circumstances.

Sunday 27 January 2008

HUMAN RIGHTS CHALLENGE TO RIPA?

Outlaw.com has a mildly speculative piece about the possibility that the recently introduced provision (under the Regulation of Investigatory Powers Act) to force the handover of encryption keys could be challenged under the Human Rights Act.

Insofar as this is accurate, it is both very welcome and potentially very far-reaching. It infers that, intriguingly, a whole raft of anti-privacy-related legislation (varying from the security regimes at airports, through ContactPoint, all the way up to ID cards) could be subject to the same sort of risk. Indeed, if any such action were ever to be tested in the Courts, it could even have ramifications for the current inadequacies of the requirement of Ministers to make Section 19 declarations under the terms of the Human Rights Act on the face of all Bills presented to Parliament.

However, as the piece makes plain, the current law has been drafted so that, in essence, the State can both 'have its cake and eat it'. As it points out the difficulty is that the 'European' equivalent to a 5th amendment right is not absolute but will rely upon the interpretation of the courts in the circumstances of the case - an elegant solution for the State but, I venture to suggest, not one that works particularly well in the interests of the citizen.

Nevertheless the article does raise two specific issues in my mind. First there is the issue as to whether the appropriate safeguards - level of authorisation, &c - are sufficiently well-defined in statute and are adequately transparent and accountable. I question that. Second, as William Malcolm observes in the article: "The whole purpose of the Regulation of Investigatory Powers framework is to place on a statutory footing, on a transparent footing, the way in which law enforcement agencies and national security agencies access these materials". In other words, its purpose is to deliver legal certainty. But, on the basis that the current policy may be challengeable in the courts and that the outcome of any such challenge would be dependent upon how the relevant court interpreted the circumstances of the case and theavailable evidence, that certainty simply does not exist.

Not for the first time, the policy-makers and legislators seem to have managed to make a pig's ear out of a silk purse!!! Still, we shall see.

ID CARDS - WHERE ARE THEY NOW?

There has been much speculation about the scrapping of the ID cards policy in recent days (here and here) - and an especially fatuous analysis of the politics of this from the BBC. Here I stand by my previous analysis about this which is a matter of record (for example here). For a variety of reasons (principally concerned with political calculation) the Great Bottler has always been lukewarm about the whole ghastly project. In the current climate, I would go further; he will be calculating that it would be in his (and New Labour's) best interests to neutralise the electoral liability that they represent (all the more so in the wake of the HMRC fiasco). Nevertheless he will only move on the issue at a time of his choosing when he reckons both that he will not be seen as a 'victim' of events and when he can maximise the potential political advantage of doing so. That said, I am prepared to concede that the looming prospect of them being kicked into the long grass has probably edged somewhat closer.

But - and it's a massive but - ID cards are merely the visible part of a huge iceberg - it's what we can't see under the surface of the water that really matters. Those excellent bods at No2ID (and many others) are only too well aware of this - in deliberately choosing to target the whole "database state" rather than ID cards in isolation. Indeed, the Great Bottler is no doubt equally well aware of this (which may in part explain his diffidence on the subject thus far) and will be factoring this in to his eventual decision about the policy. The stark reality - and sad truth - is that, however desirable the scrapping of ID cards may be, their demise will do nothing to exorcise a principal plank of policy that causes the greatest degree of concern: i.e. the availability to Government of a comprehensive digital footprint of our whole-life experience in the minutest detail. So, the passport database, eventually covering round about 80% of the UK population (after all it was always intended that this would provide the backbone to the National Identity Register), will continue to exist and operate. Legislative provision for serial data-sharing across Government continues relatively unabated. Et cetera, et cetera. And, if a little ironically, what makes all of this so much worse is that the accountability and transparency of the regime - as compared with the situation that would exist with full implementation of ID cards - is all but non-existent. Again this may explain why the Great Bottler is attracted to this approach as to all intents and purposes it is the delivery of the policy by stealth, something that he has proved himself to be especially adept at over the years!

What is is frustrating - and depressing - is that our politicos, for all their high-minded rhetoric in opposition to ID cards, appear to be either unable or unwilling to recognise this (e.g. Calamity Clegg's grandstanding on the issue a few weeks ago). I can't help feeling that all of us would be very much more comfortable about our political process if those engaged in it could at least exhibit a full grasp of the issues facing them; indeed, that might inspire us to respect them a little more!

And what is now required above all else - a persistent theme of mine - is a root-and-branch re-think of the whole sorry mess of identity/data management by, for and on behalf of government, together with new primary legislation to attend to these matters in a coherent way. Will any of the parties have either the wisdom or courage to grasp this nettle? I'm not holding my breath!

Friday 25 January 2008

UK = "ENDEMIC SURVEILLANCE SOCIETY"

I'm sure you will have noted that Privacy International published their "2007 International Privacy Ranking" a few weeks ago. Indeed there was some comment on the Report at the time (for example here from The Register and here from Spyblog) - and to this extent I concede that this is something of a 'catch-up' post. We can make of the Report's findings what we will. But the criteria that PI have deployed to make their assessments are appropriately objective. And on that basis it makes for decidedly uncomfortable reading.

Two things in particular strike me about the Report. First the trend in both the UK and the USA is undeniably towards ever greater erosion of our privacy rights. In other words the position defined by the Report is no blip on the radar. Rather, however well-intentioned some of the imperatives that underpin it may be (improvements to public services, prevention/detection of fraud, or what-have-you), it is an entrenched and relentless policy direction.

Second - and much more importantly - the right to privacy (and the attendant provision of adequate safeguards against the intrusion of the State into our daily lives) is a fundamental building block of a free society. Therefore, as sure as eggs is eggs, its emasculation makes us less free. If we stop to think about the somewhat woolly concept of 'The War on Terror', we can adopt a simplictic view that it is being 'fought' - I use the word advisedly - to protect our essential freedoms from the encroachment of the fundamentalist - perhaps even barbaric - ideology of the terrorist cause. The irony is that the assault on our privacy rights is justified in no small part on the basis of it being necessary in the interests of national security and to protect us from terrorist-inspired outrages. Accordingly I hope I'm not alone in supposing that it is perverse - some might even say asinine - to abate quintessential democratic freedoms (that of privacy in all its guises in particular) as a conscious and deliberate policy imperative when, to all intents and purposes, the declared aim is to defend them.

Now it may be that, at least superficially, privacy is less valued in societal terms than once it was. Innovations such as Facebook, MySpace, (perhaps even blogging) and others of this ilk are illustrative of how easily the (as it were) security of our privacy can be fragmented as a function and/or consequence of our interaction with the Internet and the Web. For my part I suspect that the vast majority of users of such sites are blissfully unaware of the way(s) in which their adherence to them either can or does undermine their privacy rights. In effect it is, in the main, an unintended - and, if considered properly and on the basis of full understanding, unwanted - consequence of 'buying into'/keeping pace with the latest technological advances. In other words it isn't so much that privacy is valued less; rather, in the context of how the Web works, it is less understood and/or misunderstood. What matters here is that the societal changes wrought by the Web/Internet make it more, not less, important that the right to privacy should be defended.

The upshot is that the policy direction here as espoused by our lords and masters (in both the UK and US) is completely and utterly wrong. It is absolute garbage. Methinks, time for a change (not least of direction)!

Wednesday 23 January 2008

NORMAL SERVICE WILL RESUME SHORTLY

A belated - but no less sincere for that - Happy New Year to one and all (more likely the former) who pop in to have a look at my musings.

Clearly I haven't been posting anything over the past few weeks. I apologise for that. For no particular reason I decided to extend my Christmas/New Year holiday, a) because it seemed like a good idea and b) because I have an extremely generous employer (myself!) who let me do so.

Still, I'm back in the saddle now and, as the title says, normal service in terms of posting will now resume although you may have to bear with me for a little while as I catch up with all the paper-work/correspondence that I've neglected for the past month or so. And it may well be that I feel inspired to do a few "out-of-date" posts as I trawl back over the events/news/&c of the last month or so; inevitably there will be some items that I feel worthy of some sort of comment even if they are now "history".

Once again an exceedingly Happy New Year to y'all!!!

Sunday 23 December 2007

GOVERNMENT'S DATA WOES: FIPR'S PROGNOSIS

As I idle away the holiday hours - and sip my rum punch(es) - I've been doing a bit of browsing and, as it were, catching up on old friends. So I gravitated to the FIPR site, a bunch of people for whom I have an enormous amount of respect.

Their press release of a week or so ago (reported on here by Ideal Government) is such manifest common sense that, in case you haven't yet 'discovered' these inestimable fellows, I reproduce it here in full (my emphasis):

"The Government misses the point on Poynter

RELEASE: 17 December 2007

The Foundation for Information Policy Research (FIPR) believes that the Government's response to the interim Poynter report shows that they just don't understand what has gone wrong. Their refusal to abandon the headlong rush towards Transformational Government -- the enormous centralised databases being built to regulate every walk of life -- is not just pig-headed but profoundly mistaken.

Both Alasdair Darling, commenting on the HMRC fiasco, and Ruth Kelly, telling the House about the loss of 3 million people's personal information, told us that once 'lessons have been learned' and 'procedures tightened' the march to ever-larger database systems will continue.

Before Transformational Government came along, only small amounts of data were lost -- but as the new databases cover the whole population, everyone's affected now, not just a few unlucky people.

Transformational Government means putting all of the eggs into one basket and it is creating:
  • The multi-billion pound identity card scheme, to hold data on the whole population;

  • The National Health spine, which will make everyone's health records available for browsing by a million NHS workers;

  • ContactPoint which will record details on every child in England, with details of their parents, carers and indicators of whether they have any contact with social services. Three hundred thousand people can look that information up;
  • A universal pensioner's bus pass scheme which will hold the data on 17 million people, and in principle will let any bus driver learn your age and address -- when all that it should record is an entitlement to free travel.

Ross Anderson, Chair of FIPR and Professor of Security Engineering at the University of Cambridge said, "the Government believes that you can build secure databases and let hundreds of thousands of people access them. This is nonsense -- we just don't know how to build such systems and perhaps we never will. The correct way to design such systems is to localise the data, in a school, in your local GP practice. That way when there is a compromise because of a technical failure or a dishonest user then the damage is limited.

"You can have security, or functionality, or scale -- you can even have any two of these. But you can't have all three, and the Government will eventually be forced to admit this. In the meantime, billions of pounds are being wasted on gigantic systems projects that usually don't work, and that place citizens' privacy and safety at risk when they do."

Richard Clayton, FIPR Treasurer said, "Personal data ought to be handled as if it were little pellets of plutonium -- kept in secure containers, handled as seldom as possible, and escorted whenever it has to travel. Should it get out into the environment it will be a danger for years to come. Putting it into one huge pile is really asking for trouble. The Government needs to completely rethink its approach and abandon its Transformational Government disaster.""

WHAT DID I TELL YOU?

You will perhaps have gathered that I actively loathe airports and air travel - the whole sordid process treats you as if you're some bullock on the way to slaughter. Still it does have its compensations of sorts when ... eventually and after all the hassle ... you arrive at your destination. So I'm now enjoying a spot of R&R in glorious sunshine sipping my rum punch and catching up on news from home via the Web.

So, what a surprise! As I suggested in my post yesterday, yet more data security breaches have come to light, this time courtesy of the Department of Health. It is almost as if these revelations are running through each and every government department in turn - first HMRC/DWP, then Transport and now Health. So who will be next?

A few thoughts come to mind, all essentially reflected in the BBC's reporting of this. First, as Norman Lamb says (and I've been saying consistently ever since I started this blog): "The whole culture of data management in the public sector has to change." The comment from Joyce Robins of Patient Care indicates just how serious the current situation actually is: "I think it's the tip of the iceberg, actually, because there's such carelessness within the NHS and it's always impossible to hold anyone to account and find out who's actually done anything." Bear in mind that this position prevails across the whole of government, not just in the NHS. It therefore follows that, to give effect to this essential cultural change, major primary legislation will be required to recast the whole sorry mess for the benefit of both the individual citizen and the public good. Andrew Lansley's comments are equally pertinent: "You have to wonder why on earth it took the Revenue and Customs to lose their discs and for government to institute an inquiry across government for these losses of data to come to light. It does feel like there's a sense in government, all parts of government, that we're required to provide data and we are constantly told that it will be protected, but in reality that level of protection simply isn't there." You can't argue with this - although the Government will no doubt try.

Next, it is to state the obvious but now there really does have to be a moratorium on the development of ContactPoint, the NHS NPfIT and ID cards - if not outright scrapping of all three - until such time as all the flaws in the Government's data security systems have been ironed out. To repeat, this has to start with primary legislation. The various "reviews" initiated by the Great Bottler simply do not cut it. And whatever recommendations they come up with for improving matters will, in fact, be worthless. There is nothing to be gained in overlaying new, more rigorous procedures on a regime that is manifestly broken at its core.

Finally, there is the issue of the timing of the announcement ... just as we're all winding down from the daily grind and getting into proper festive mood. Burying bad news? More than likely! Because what's the betting that the Government knew enough detail about these breaches to have been able to reveal them to Parliament before it rose of 18th December?

As I've said before, this is going to get worse for the Government before it gets better. There will be more data security breach revelations in the coming weeks. And, bluntly, the issue is just not going to go away until they hold up their hands, admit the error of their ways and legislate to resolve it. Even then there's no certainty that whatever our technologically illiterate politicos come up with on that front will in fact make our data any safer.

Tiddly-pom ... back to the rum punch(es)!!!

Saturday 22 December 2007

GOVERNMENT'S DATA SECURITY WOES

Notwithstanding my previous post, this is by way of a small spot of house-keeping. I can't really let the latest batch of the Government's data security breaches (as per here, here and here) pass without some sort of comment.

Happily others have made appropriate noises about them already - notably Dizzy (who else?)(here and here) who makes the eminently sensible and intelligent suggestion of "a proper technology ministry responsibile for all IT and security". Personally I reckon it needs to go a little further than this. There should be a Cabinet-rank Minister, ideally with some level of technological expertise/knowledge (chance would be a fine thing from our current bunch of politicos!!!), with full responsibility and accountability for IT across the whole of Government not just cross-departmentally. The problem here isn't just about data security but about the whole bundle of IT issues (procurement, project development, infrastructure, &c, &c) which suffer from the dread disease of departmental turf ways and unjoined-up Government. As Dizzy rightly says: "As long as we have a disconnected system of IT development and systems in Government then there will always be someone else to blame".

The other part of the problem is that Government's 'wants and needs' from our data, notwithstanding data protection legislation, are (generally) antipathetic to our own. Worse, there is a cultural malaise within policy development in this area that assumes too readily that our interests should be subsumed to an airy-fairy perception of the 'greater good'. In other words, our data 'wants and needs' for our data play second fiddle to those of Government. The vexed issue of who 'owns' data is inextricably wrapped up in this and gives rise to an extremely persuasive argument that this matter - the rights to privacy of and for data - should be addressed legislatively as a matter of urgency. Quite rightly Dizzy also maintains: "Under no circumstances should any personal data be sent out of the country by Government". Again I favour going further than this. We should revert to a principle that has been floating around for some time, trusted third party "info-mediaries". Responsibility for all data administration and management should be stripped away from the government machine and passed to a sensibly funded, independent (of both the public and commercial sectors) organisation (or organisations) (perhaps akin to the ICO) which would be statutorily charged with all data management, ideally on a federated basis, on behalf of the citizen and the government (in that order).

And finally I slightly disagree with Dizzy when he says: "The Government's proposal for jail time for anyone breaching data security is a misdirected solution". He is of course correct in saying that this is "putting a Band-Aid over a gaping gash". Nevertheless, it seems to me that the complete absence of any effective sanction for "reckless" data security breaches is a major contributory factor to the cavalier/indifferent culture that exists on data security within Government. It therefore follows that some form of deterrent could have the beneficial effect of focussing minds on being rather more assiduous about data security. I can't help thinking that this is a necessary part of the solution.

I have one final point to make. Evidently, the Great Bottler is hoping that the scandals surrounding data security breaches will disappear over the coming weeks - which attitude, incidentally, is itself a manifestation of the cultural malaise of which I speak. If I was in his big tent, I wouldn't have all that much confidence in this expectation. What we know is that the Information Commissioner has made it plain that there is a whole bunch of government-held data has gone 'walkabout' - although none as serious as the HMRC scandal (given the scale of that disaster, we shouldn't be surprised by that). Thus far we've only really been told about the DSA breach. So it is reasonable to suppose that news of others will continue to dribble out for quite some time. Quite apart from that, the whole matter will be revisted by the media and Parliament relatively early in the New Year when the various Reports are published. The issue just isn't going to go away. Additionally, all it would take for the whole issue to flare up again in spades - and for the skids to be put almost terminally under tthe Great Bottler's administration - would be a single instance of fraud or identity theft perpetrated as a result of a loss/breach of government-held data. And that, dear friend, continues to be a seriously viable possibility!!!

(Sorry about that.) But still have a happy Christmas.

BEST WISHES OF THE SEASON

It never fails. Perhaps it's psychosomatic or I'm just a hopeless hypochondriac. Along comes Christmas (or Easter - in fact pretty much any high day or holiday where the concept of en famille is involved) and I get struck down by some bug or another. So I've been hors de combat these past few days, hiding under the bed covers feeling like death warmed up, which, needless to say, explains why I haven't posted anything for a while - not that anyone's necessarily noticed!!!

Happily whatever affliction had taken hold is now easing which is just as well because we're off to warmer climes for a few weeks. So posting, if it happens at all, will be very light until well into the New Year.

It only remains for me to convey my very best wishes to all my readers - are there any? - for a very happy Christmas and a prosperous and joyful New Year.

Tuesday 18 December 2007

LIBDEMS' LEADERSHIP RACE

So Nick Clegg wins. Well ... whoop-de-doo!

For most (if not all) of us, isn't it just a relief that the 'Snoozeathon' (hat-tip to Iain Dale) is finally over? Actually I think Iain has it about right in that the ultimate 'loser' in this protracted 'watching-paint-dry' exercise is the LibDem party itself. No momentum or traction was generated within either the media (though the BBC did at least try to help them along) or the minds of the general public by the contest. Nick Clegg has ended up with a 'victory' of sorts but, because of the narrowness of the margin, it is decidedly hollow. And, given his lacklustre performance during the campaign, there has to be a real risk that (a la the Great Bottler) he's not really cut out for the intensity of the top job. The party itself, in not giving either Clegg or Huhne a clear mandate, has manifested its natural inclination towards degrees of tribalism and indecision - typically, their Janus-faced instinct of trying to look both ways at the same time has come to the fore.

But, as Iain says, this is not to underestimate Nick Clegg. Although I make no prognosis of potential coalition deals (above my pay grade) it is undoubtedly correct that Clegg has more potential appeal to Conservative rather than Labour waverers. For the Tories that is both a problem and a risk that needs to be addressed. But, for me, the real question has to be what sort of room for manoeuvre does Clegg actually have, given that the narrowness of the outcome shows that Huhne has a viable power-base - and therefore influence over both policy and tactics/strategy - within the party as a whole? Will he find himself somewhat hog-tied by the noises off that, in all likelihood, will emanate from the Huhne camp in the coming weeks and months?

Monday 17 December 2007

WOMEN'S PENSIONS

There was a very interesting exchange as first business in the House of Lords earlier today - so interesting that I reproduce it in full:

Baroness Hollis of Heigham asked Her Majesty’s Government:
When they will report on their commitment, made during the passage of the Pensions Act 2007 through Parliament, to help women to buy back additional national insurance years.
The Parliamentary Under-Secretary of State, Department for Work and Pensions (Lord McKenzie of Luton): My Lords, the Government committed to look at a range of options to help individuals who have gaps in their national insurance contribution records to purchase additional voluntary contributions. This work is now complete. The options were analysed in terms of fairness, affordability and simplicity. The Government have concluded that none of the options considered passes these assessment criteria and none is particularly well targeted, and therefore have decided to make no changes to the current rules to allow individuals to buy additional national insurance contributions. (So, as per standard NuLabour practice, the commitment we made wasn't the one anybody else thought it was and, even if it was, we're not going to honour it anyway - so there!)
Baroness Hollis of Heigham: My Lords, I am profoundly dismayed by that Answer. In my view, it will not do. (And I'm mightily pissed off that the Government of which I was once a (reasonably) prominent member is behaving in such a shabby way.) Does my noble friend accept that there are coming before the Commons, and therefore to your Lordships’ House in due course, the National Insurance Contributions Bill and the personal accounts Pensions Bill and that, if this House agrees, we will continue to fight to ensure that women who have been carers do not find themselves penalised by going into retirement with an incomplete, poor pension? (And there will be blood on the Government carpet once we've cobbled together a cross-party alliance to defeat them on the issue.)
Lord McKenzie of Luton: My Lords, I well understand the disappointment of my noble friend and others in the House, particularly as she has campaigned so effectively on this issue, but the position is as I have outlined. We should not lose sight of what has happened under this Government in improvements to pensions, particularly for women. For example, the reduction in the number of qualifying years needed for a full basic state pension is 30—a key measure—and, for the first time, paid and credited contributions for caring will be recognised equally for basic state pension and state second pension. (We've done our bit and thrown money at just about everything under the sun; the only trouble is we're beginning to run out of the stuff so we can't afford to pay for this. And frankly we've made such a mess of the economy that it's all going belly up in the next few months.) Those are important developments, but I am well aware that this debate is quite likely to continue with those two pieces of legislation. (And I'm not looking forward to it.)
Lord Fowler: My Lords, does the Minister not remember that when the proposal of the noble Baroness, Lady Hollis, was put to this House it was agreed to by a margin of 179 votes to 86? Surely it is a sensible measure; it gives flexibility and it particularly helps women in retirement. Frankly, the sooner it is done, the better. (The Conservatives will stand four square behind any proposals Baroness Holls may bring forward.)
Lord McKenzie of Luton: My Lords, I am not sure that we on this side should take any lessons from the pensions record of the Conservatives. (I'm getting a bit tetchy so better use this default response; and if things continue to be a bit tricky, I'll have to resort to giving ourselves a glowing report on our record in Government too.) The challenge for the measures was to reach those people whom my noble friend most wanted to reach but not to have to bear the cost of the others. That has been the difficulty. For example, if this is a policy commitment that the Opposition want to take on, let me explain that the option of an extra nine years pre-2010 and six years post-2010 would cost in cash terms a bit short of £5 billion to 2050—net present value, in prices terms, £1.3 billion. (As I've said, we've made such a mess of the economy - and got all our spending priorities wrong - so we can't afford it.) That is the analysis and that is the issue before us.
Lord Davies of Coity: My Lords, is my noble friend aware that, when I became general-secretary of my trade union in 1986, I inherited a situation in which part-time women workers were ineligible for the pension scheme? I not only provided for them to become members of the scheme but I backdated the years of service to ensure that they paid money for those years that they had already completed. (Gizzajob!) I hope that the Government do the same with the national insurance contributions.
Lord McKenzie of Luton: My Lords, pensioners have been well served by this Government. Let us look at the facts of what has happened since 1997. (Phew, a soft ball that I can bat back by bleating about our record.) Currently, only around 35 per cent of women reaching state pension age are entitled to a full basic state pension. When the 2010 changes come in, that figure will be three-quarters and, in 2025, 90 per cent, which will be equality with men. Because of the changes that we have made to the state second pension, 2.1 million carers, more than 90 per cent of them women, and 6.1 million low earners, almost 60 per cent of them women, are included in the scheme, which did not provide for them before.
Lord Oakeshott of Seagrove Bay: My Lords, does the Minister accept that, today of all days, when the Government have finally run up the white flag after their appalling treatment of the 125,000 robbed pensioners, this is the last day to try to defend the indefensible on this issue? I give notice that, along with the noble Baroness, Lady Hollis, we on these Benches will be fighting as hard as we can during consideration of the upcoming Pensions Bill to ensure that people get justice. (Can we join in - in a squeaky voice - and clobber the Government too with our tickling sticks?) Does the Minister not accept that what is happening here is a Labour Government spending billions to help rich people by giving them top-rate tax relief and preventing poor women, with broken work records, from saving for a modest pension?
Lord McKenzie of Luton: My Lords, it must be easy being a Liberal Democrat: you are responsible for nothing and it does not matter what spending commitments you make, as we see far too often. (I'm definitely getting very tetchy now especially as those fluffy LibDems are having a go at me too. Leave me alone. I didn't make the mess we're in and, anyway, this lark of 'defending the indefensible' is above my pay grade. Just leave me alone.) If one looks at who would not benefit from the proposals, one sees that it would be the poorest women, because the poorest women headed for pension credit would lose pound for pound if they were asked to cough up for additional class 3 contributions. The proposals would not help those women who could not get beyond 60 per cent of their spouse’s pension; they would simply be paying in money to no avail. It is not right to characterise it as the noble Lord has done.
Baroness Greengross: My Lords—
Baroness O'Cathain: My Lords—
Baroness Dean of Thornton-le-Fylde: My Lords—
(Can we all join in giving Lord Mackenzie a hard time?)
Noble Lords: The Cross Benches. (See ... self-regulation works!?!)
Baroness Greengross: My Lords, the Government are developing a strategy for carers across the board and I am pleased to be part of that work, but surely it is beyond belief that a group of carers and people who have had caring responsibilities are going to be discriminated against in recouping the pensions that they could have been entitled to if they not taken on that role. (I'm signing up to supporting Baroness Hollis.) Will the Government please reconsider, because this is extremely unfortunate?
Lord McKenzie of Luton: My Lords, I stress again that the challenge has been to reach the very people whom the noble Baroness describes. (They won't notice notice if I repeat the same old garbage; even if they do, time is nearly up so, if I can pad it out just a little bit more ....) That is not possible without great intricacies and complications, which is one of the criteria that we set our face against when we discuss these things in this House. The reality is that the role of carers going forward is significantly improved for the reasons that we gave when we debated the Pensions Bill earlier this year. (Thank God that's over!)

I add only one thought. It is passing strange that, following hard on the heels of trying to make friends of their enemies by enlisting GOATs (for the uninitiated, Government Of All the Talents), the Great Bottler's government cavalierly makes enemies of its erstwhile friends. After all Baroness Hollis was not only a fairly senior Minister for Bliar - though not with an especially Bliar-ite reputation, just solid Labour - but she is also one of the most knowledgeable people on the subject of pensions in Parliament.

The words "trolley, "falling", "wheels" and "off" all come to mind.

Sunday 16 December 2007

WILL GOVERNMENT LISTEN?

Ever reliable, William Heath at Ideal Government gives the Government - and any party (!?!) aspiring to be the next Government (that discounts the LibDems then!) - some sensible and timely advice. His third (stop hiding behind "security through obscurity" and be much more open and transparent) and fourth (implement Privacy Impact Assessments across the whole of Government and its agencies) point are especially important.

Will they listen? Will they heck! But they better - because, if they don't, the current 'disconnect' between the electorate and the political process is going to get a helluva lot worse before it gets better!

MAJOR'S INTERVENTION

I confess that I have a great deal of respect and admiration for John Major. I honestly believe him to be one of that increasingly rare breed in modern politics: a genuinely decent, honest and sincere man. He may have been grey and (not to put too fine a point on it) unspectacular - who can ever forget his 'Spitting Image' puppet - during his period in office but he did entrench the reforms of the Thatcher years without many of which (like it or not) the UK would still be the 'basket case' of Europe (if not the world) and, with that 'legacy', I suspect that, down the line, history will be kinder to his Prime Ministership than the intense criticism it received at the time - and still receives. Remember too that, if he had not won the 1992 election, we would have ended up with the axis of the dread Kinnockios ... and that really doesn't bear thinking about. So, when he does the rounds of the TV studios to opine about sleaze, I actually sit up and take notice. After all, he does know a thing or two about the subject matter!

Of course, his intervention has provoked an entirely predictable rant from the left-wing/New Labour blogosphere (e.g. "Pot, Kettle, Black, Mr Major?" from Kerron Cross). I have no difficulty in them saying that Major's period in office was tainted by various scandals of one sort or another (as Kerron points out, "cash for questions", Edwina Currie, &c). But, in turn, Major is quite right to point out that, while "lots of people misbehaved" on his watch, they did so on an individual rather than a collective party and/or government basis. The difficulties that New Labour - and the Great Bottler - are now facing over sleaze are very much worse because - call it ignorance, incompetence, arrogance (maybe downright criminality) whatever you like - they appear to have infected the machinery of the party at every level - from the Cabinet (Harman, Hain, &c) all the way down to the grass roots and individual donors (i.e. Donorgate). As John Major says, they are mired in sleaze at a systemic/institutional level. And the 'evidence' (in fact, taken over the last 10 years, the list is as long as your arm - the Ecclestone Affair, Mandelson, Blunkett, cash-for-peerages, donorgate, &c, &c) is there for all to see. It's just that it's taken rather a long time for the mud to stick - no doubt partly because of Bliar's undoubted skill as an actor/politician and partly because of a compliant media. So, paradoxically, for the likes of Kerron Cross to be slagging Major off in this way is in fact they themselves indulging in a healthy dose of the pot calling the kettle black!?!

You have to remember too that NuLabour's 1997 Manifesto - yes, I'm that much of an anorak that I looked it up! - contained these pearls of wisdom, most of them from Bliar's foreword:
  • "The Conservatives' broken promises taint all politics. That is why we have made it our guiding rule not to promise what we cannot deliver; and to deliver what we promise. What follows is not the politics of a 100 days that dazzles for a time, then fizzles out. It is not the politics of a revolution, but of a fresh start ...";
  • "We are a broad-based movement for progress and justice. New Labour is the political arm of none other than the British people as a whole.";
  • "Our mission in politics is to rebuild this bond of trust between government and the people. That is the only way democracy can flourish.";
  • "We will clean up politics, decentralise political power throughout the United Kingdom and put the funding of political parties on a proper and accountable basis.";
  • "There is unquestionably a national crisis of confidence in our political system, to which Labour will respond in a measured and sensible way.";
  • "This is the purpose of the bond of trust I set out at the end of this introduction, in which ten specific commitments are put before you. Hold us to them. They are our covenant with you."
This was all of a piece with trying to paint NuLabour as "whiter than white" in contrast with the image/perception of the Conservatives being "sleazy"/"untrustworthy"/"corrupt"/"failing"?&c. And it was a line that was always going to come back to haunt them (a la Viscount Falkland's "power corrupts" dictum); what goes around, comes around. Little wonder that this tripe now sounds so hollow and empty!

Bliar knows this - now that he's moved on to bigger and better things. His acknowledgement that he over-played the sleaze card in opposition is as much (in its own way) an admission of this as it is an attempt to distance himself (in advance) from NuLabour's current woes. You've got to hand it to him. He is nothing if not shrewd - but always aimed at protecting his own back. So, officially, the NuLabour Party itself really has no option - and this speaks volumes about the pile of manure they are up to the pretty little necks in - other than to keep shtum on Major's intervention.

Of course, that won't stop them from trying to spin the narrative over the next few days, even weeks, but I'm uncertain that's going to help them much. The situation (as it did with the Tories in the '90s) has passed the point where the facts of the matter are relevant; regardless of them the perception of sleaze is now firmly entrenched in the public consciousness. So the stark realities they have to face up to is that Major has got it absolutely spot on and they're just going to have to live with the principle of the biter bit.

Saturday 15 December 2007

FREEDOM OF SPEECH

News from the US - where else?!? And definitely a new slant on the word "pottymouth"!

Whatever else one can say about it, at least it's a victory for freedom of speech over political correctness and petty-minded bureaucracy. Pennsylvania can be thankful that District Judge Terrence Gallagher has a fair sprinkling of common sense.

Friday 14 December 2007

GUILTY UNTIL PROVED INNOCENT

Dizzy has picked up on a truly chilling statistic here. Half a million innocent - innocent, mark you!! - individuals on the UK DNA database? Is that 'proportionate' or what?!?

Of course (although those utter fools who claim they're 'governing' us haven't really got their heads rounds this yet), being on the database is only part of the problem. Then there are all the horrors of who has access and for what purpose (e.g. via the terms of the Prum Treaty - see previous post here).

DUTCH MEDICAL DATABASE LEAKY AS A SIEVE

You will have noticed that I'm not shy in coming forward to slate the UK Government for its abject failure to secure our data and/or protect our privacy. Nevertheless it is important to remember that this is, in fact, a pan-European - if not global - problem (albeit the UK under the tutelage of Bliar and his henchmen has been one of the prime movers to get us into the sorry and parlous state we're now in). So this piece of news from Holland has the dubious benefit of reassuring us that (from the scandalous HMRC fiasco down) we are not alone in having profoundly flawed, if not wholly destitute, government administration systems for our data.

Needless to say I draw no comfort from the fact that we're not the only ones who are having our data strewn all over the place. But it is an indication of the scale of the problem we now face.

Thursday 13 December 2007

ANOTHER STATEMENT OF THE BLEEDING OBVIOUS

Kablenet reports here on recent proceedings of the Public Accounts Committee. It seems that, in giving her evidence, Alexis Cleveland, director general for Transformational Government, (there's some good commentary on this ogre-ish invention of the Bliar/Great Bottler axis here(from Blairwatch) and here and here (from Ideal Government)) concedes that sharing of information/data within Government increases the risk of the security of that data being compromised. I should co-co!!!

What rankles with me is that, despite a bunch of people telling these closeted dip-sticks for the past ten years or so that this is as sure as eggs is eggs, it is only now, after the HMRC cock-up, that they are even beginning to accept this stark reality. More closing the stable door after the horse has bolted! More "you really couldn't make it up"! Honestly, I don't know whether to laugh or cry at the lunacy of it all.

TEBBIT HUMOUR/"SMART METERS"

There was an amusing little exchange between Norman Tebbit and Jeff Rooker - for me two of the place's star performers - in the House of Lords earlier this week:

"Lord Tebbit: My Lords, is it not clear that the Government and Ministers in particular—with the honourable exception of the noble Lord—are doing all they can to save electricity? They seem to be working in the dark all the time.
Noble Lords: Oh!
Lord Rooker: My Lords, no, I am not going to answer that."

I'm not surprised Jeff Rooker didn't want to answer it.!!!

On a more serious note, Jeff Rooker also mentioned "smart meters" during the exchanges: "At present, they are mainly available only for electricity, but apparently displays for gas and water are being developed. They are small, portable, hand-held devices, which can be used in the business or at home, allowing one to read the meter. More important, they can transmit to the energy company the amount of energy used, so estimated bills are not required." (my emphasis). What I'm wondering is whether the category of data that can be transmitted is regulated in any way. If it is not, it is yet another example of how potentially leaky our data security has become.

UNDERSTATEMENT OF THE YEAR? (CENTURY EVEN?)

So the Great Bottler's (ever-so-gentle) grilling by the Liaison Committee throws up this pearl of wisdom from him: "We've got a long way to go" [to develop a coherent Government IT strategy] (reports here and here; interesting to note that the BBC headline uses an 'edited' version of the phrase, "way to go" rather than "a long way to go"!?!). Talk about stating the bleeding obvious.

One other thing is nagging me about the Government's current focus on data security and trying to do something about it. It is all so much closing the stable door after the horse has bolted. And what really worries me is that I'm wholly unconvinced that the Government (or even Parliament) have the wit/capacity/expertise/inclination to (mixing my metaphors) put the genie back in the bottle. There is a very real and chilling prospect that, as of the current situation, we will just have to live with the simple fact that any rights we may once have had to privacy and the security of our data have been irretrievably compromised by the utter incompetence and complacency of those whom were charged with protecting them!!! Scary stuff!

PRIVACY IMPACT ASSESSMENTS

Once again those splendid chaps over at Ideal Government bring us welcome news, this time about the launch of Privacy Impact Assessments by the Information Commissioner (relevant press release available here). As William Heath suggests, ID cards/ContactPoint/eCAF/Connecting for Health/ eBorders/Scottish bus pass scheme for the elderly/&c would almost certainly have fallen foul of the criteria for assessment. And wouldn't we be in a much better situation if PIAs had been prepared for all these things (and more) so that the necessary and appropriate adjustments/amendments to secure our data and protect our privacy could have been made?

What I'm less certain about is what level of compulsion, if any, the ICO can impose so far as the preparation of PIAs is concerned. So let us hope that some bright spark(s) in Parliament and/or Government (I don't hold out much hope that the latter will) manages to get their head round this and has a go at legislating to make it a statutory duty for Government in all its incarnations to prepare PIAs. Were this to happen it might - just might - limit the almost unrestrained opportunities that our lords and masters have of making a complete and utter horlicks of all their IT schemes and creating hugely expensive 'white elephant' projects all over the place.

Wednesday 12 December 2007

"WEB PAGES LOST IN THE POST?" OR STOLEN?

As an addendum to Dizzy's post here about his infuriation with mis-addressed html links/dead addresses/&c in Hansard's reports, I offer you this from John Lettice at The Register. As he says, the Government using URLs "that it hasn't even bothered to buy is possibly a new low" even for them.

DATA-SHARING CONSULTATION/REVIEW

Kablenet reports that a new consultation has been launched to investigate data-sharing within the public sector. What makes it (possibly) a little bit more interesting is that "In particular, the consultation will seek real life examples of data sharing, and views on current data protection legislation and safeguards". So anyone affected by the HMRC fiasco - or any other of the Government data breaches that seen to be coming out of the woodwork with alarming regularity at the moment - can presumably pitch in their two pen'worth.

Having said that, I am a little surprised. It would seem that this is part of a wider review of "the use and sharing of personal information" announced by the Great Bottler back in October - i.e. prior to the HMRC mess. Now, call me a cynic (which I am) but such reviews are only really ever organised when their instigator is pretty certain of the conclusions that they will come to and that therefore they will be supportive of the desired/intended policy direction. Currently we have to assume that policy in this area is pretty settled - ID cards, serial weakening of the checks and balances on data sharing within government that have existed up to now (as with, for example the Serious Crime Bill of the last session), the whole Transformational Government agenda, &c. So, what is the point of the review. Is it to achieve post-event endorsement of the already established policy direction? Or is this a coded signal that ID cards really will be for the chop down the line? You choose.

As an aside, I can't help thinking that so many reviews are tumbling from the Great Bottler's fertile/fevered imagination at the moment that it's almost an echo of Bliar's first term in office. If you recall, he - ably assisted by his partner in crime (can't resist that one!), the Chancellor - set up review after review, task force after task force, to investigate just about everything under the sun. It may have created a bunch of cosy sinecures for the supporters but it got bugger all done governmentally or legislatively. In fact I vaguely remember it being said of NuLabour (if a little quietly) that they had been a superb opposition but they didn't have a clue what to do with power once they'd got hold of it - and, if you ask me, they still don't, other than to be comprehensively incompetent dip-sticks. Be that as it may, now that his back is (increasingly) up against the wall, are these the burgeoning signs that the Great Bottler is lapsing back into that mind-set? Could it be that, having finally got hold of the top job that he has craved for so long, he really doesn't have a clue what to do with it? It looks like it to me.

PLOD AT THE DOOR OF No.10 ... AGAIN?

Now here's a thing!

As we know Richard Thomas, the Information Commissioner, has indicated that he is in favour of amendment of the Data Protection Act. Specifically, he is calling for a new criminal offence although quite what form this should take is perhaps less clear. But let us assume that it is wrapped around the phraseology "knowingly or recklessly failing to comply with the data protection principles". That would just about cover all the appropriate bases. And, let us assume that Parliament in its wisdom does in fact put this on the statute book.

Well, we also now know that the Great Bottler, when he was still Chancellor, was alerted to the fact that "data protection procedures governing the child benefit database" were as leaky as a sieve back in 2004 (reports here and here). And yet (so it seems) he chose to do bugger all about it. I know we're talking hypotheticals here but I reckon that sort of behaviour is a pretty good fit with "knowingly or recklessly failing to comply with the data protection principles". In other words, given a law change, the Great Bottler - and, presumably, the current incumbent, Darling - would be in the frame for a visit from Plod, presumably under caution!

You've got to reckon that Nu-Labour, following the indignity of Bliar being the first serving PM to be interviewed under caution over cash-for-peerages, are dead keen not to put themselves in a position where that could happen again - in fact, it'd be worse because I reckon Plod would be interested in the actions of both of the holders of the two highest offices in the land (the PM and the Chancellor of the Exchequer). And so it seems. Certainly it's what I read in to the sub-text of this written answer to Baroness Noakes last week.

But, in reality, this may offer them scant comfort. Those excellent fellows over at Privacy International appear to be seriously contemplating an action against the UK Government even as the law currently stands. Quite right too. Needless to say, their chances of prosecuting such a case would improve immeasurably if you, dear reader, felt inclined to offer your support. So, should you feel disposed so to do, please feel free to contact Simon Davies at simon@privacy.org. I'm sure that for a whole bunch of us there would be no better Xmas present than the prospect of the Great Bottler and his sidkick, Darling, having a little visit from the boys in blue!!!

Monday 10 December 2007

PNR (PASSENGER NAME RECORD) DATA/THE PRUM TREATY

(I apologise. I'm so incensed by this subject that I've (possibly) got a bit carried away and this post has ended being rather longer than I intended. It's still worth reading though, trust me.)

I've said previously that I would post something about PNR data and, as it happens, a decent/appropriate 'hook' has arrived in the shape of a truly chilling and scandalous debate in the House of Lords this past Thursday. It was a 'doubled-up' debate on two Reports - one on PNR data and the other on the Prum Treaty, a subject I was not particularly familiar with but which looks, at first blush, as if it could be even worse than PNR data - from the European Union Home Affairs Committe and I invite you, dear reader, to digest it at your leisure - and the original Report(s) (PNR data here and the Prum Treaty here) together with the Government's Responses (here and here respectively).

Given the importance of the subject matter, it was disappointing (to say the least) that there were so few speakers - and that tells its own story about the quality of scrutiny to which the current government is subjected - although, to be charitable, it could be that the business managers deliberately scheduled the debate for late on a Thursday when the vast majority of the old duffers have already quit the asylum for the week-end. Mind you, the membership of the Upper House (with one or two notable exceptions) isn't exactly renowned for its grasp of matters technological and that may have had something to do with it too. In these circumstances, those who did participate (Lords Wright of Richmond, Jopling, Harrison, and Marlesford, and Baronesses Ludford, Harris of Richmond, and Neville-Jones) deserve an especial honourable mention in despatches, not least because, to a man, they gave The Admiral (Lord West of Spithead and the Minister with the dubious honour of responding to the debate) a right royal mauling and roasting (albeit in a very lordly way). I almost (but not quite) feel sorry for the old sea dog having drawn the short straw on this one - surely not what he expected when he decided to draw the Government's shilling.

Now many people will imagine that PNR data is just one of those rather arcane and esoteric things that governments do - the standard "nothing to hide, nothing to fear" argument. But anyone who's travelled to the US and experienced the US-VISIT data collection programme first hand will know that the variety and extent of information required (including credit card details,&c) is profoundly intrusive, if you will an extensive 'electronic footprint' of the indivual concerned. Speaking for myself, I'm not at all sanguine about governments compiling such extensive information about me, partly because of their staggering incompetence in administering and securing that data (viz: the HMRC debacle) and partly because, in fact, I have a prior and enforceable right to privacy, a right which is constantly being salami-sliced by government, the very institution that should have, as one of its primary responsibilities, the duty of protecting it!

Manifestly use of PNR data is a circumstance where the right to privacy is being serially compromised and emasculated. I won't regale you, dear reader, with a full history of the whole sorry saga. By all means, read the debate and the Reports(s) for that sort of detail and draw your own conclusions about how we've arrived at the ordure we're now in and who/what is to blame for getting us there. (Wendy Grossman has a v.useful analysis of the whole shambles here.) It is enough to say that those ham-fisted EU negotiators have managed to botch the agreement with the US so that we now have fewer data protection safeguards than previously. Incidentally, Lord Wright of Richmond was explicit about this; in the debate he says:

"the worst possible conclusion would be an agreement that again was accompanied by a letter allowing the United States to disregard its provisions almost at will. Yet this is precisely what emerged in July from the negotiations."
QED.
In addition - and this is one of the things about all this that really makes my blood boil - the agreement is almost certainly of questionable legality. I'll give just two examples. First, as I understand it, UK data protection law (derived from an EU directive and so the same provisions should apply at the pan-European level) requires that processing of data must be limited to the purpose for which it was originally collected. The singular purpose of the US-VISIT programme at its inception was as a counter-terrorism measure - and, in fact, there are exemptions (what a surprise!) on the face of the DPA allowing processing for the purposes of national security, &c. So far so good. But, over the years, that hoary old chestnut 'function creep' has sidled on to the scene. So the new agreement with the US seems to allow processing for general crime, 'communicable diseases', &c purposes, that is to say a whole bunch of things way beyond what was originally intended by the programme itself and way beyond what appears to be sanctioned by EU-wide data protection law. Secondly, there is a general presumption in law that our data will not be sent to third party countries where the data protection regime is weaker or inferior to the standards established in the EU - although again I think there may be an exemption for national security. The US is such a place and it follows therefore that there should be a presumption against the transfer of data there for general processing purposes. But this is precisely what the new agreement allows for. Needless to say there are other areas where the agreement may well breach the spirit, if not the letter of the DPA. Little wonder therefore that the European Data Protection Supervisor and national data protection authorities have been so lukewarm about the subject. As Lord Wright of Richmond puts it:
"Our views were and are shared by the equivalent committee of the European Parliament, by the European data protection supervisor and his deputy, who gave us written and oral evidence, and by the working party of national data protection supervisors, which, of course, includes among its members this country’s Information Commissioner, Mr Richard Thomas."

To cap it all, our lords and masters (throughout the EU) appear to imagine that a letter - a mere letter, for crying out loud!!! - from the US Department of Homeland Security (presumably this one) is an adequate legal foundation for the whole agreement. No legally enforceable treaty, no memoranda of understanding or what-have-you. No, just a letter! So, if we, the citizens of the EU, fall foul of the programme for any reason, we are expected to rely on the reassurances contained in this letter (and I wouldn't mind betting it's not worth the paper it's printed on) as our means of legal redress. And the Admiral's take on all this? Well, when asked during the debate by Baroness Ludford whether this letter was "legally binding" his reply was: " ... perhaps I may get back in writing to the noble Baroness on that specific point. I am not clear on it myself." WTF?!!? He's a Minister of the Crown, for heaven's sake. He should know the answer to such a basic question. And, if he doesn't, what on earth is our Government up to entering into an agreement with a foreign power when it's not even certain of its legal efficacy? You couldn't make it up!

Of course what makes all of this so much worse is that the whole sorry mess has been stitched up behind closed doors. Both the EU/US agreement on PNR data and the Prum Treaty were achieved (Lord Wright of Richmond again):

" ... with no consultation, no explanatory memorandum, no impact assessment, no overall evaluation of the operation of the treaty, no estimate of the cost to member states and minimal involvement of the European Parliament and national parliaments."

No, the power-crazed gauleiters within both the Commission and the governments of the Member States have just decided that the agreement, with all its manifest failings and flaws, is good for us so we have to like it or lump it. As Baroness Ludford puts it:

"Governments, Ministers and national officials are giving themselves arrogant licence to do what they like and then try to pull the wool over our eyes."

Now, even those who view the collection of all this information with equanimity should be able to concede that this is unacceptable. It is just so profoundly undemocratic.

But (and I find this almost impossible to credit) it gets worse. Not content with comprehensively screwing up the agreement with the US, in their arrogance our lords and masters have concluded that they would like their own VISIT-type programme to play with. According to this article from John Lettice in The Register, a Framework Decision has already been made (on 6th November) with the intention of implementing an EU-wide version of the US-VISIT programme, possibly even extending to internal flights (something that was first mooted by the UK Presidency of the EU in the wake of the London bombings back in 2005; i.e. the UK Government's fingerprints are all over this shoddy state of affairs). (Of course this could explain why the bungled EU negotiations with the US were so inadequate and pusillanimous!) Nor is this idiocy confined to the EU. Those excellent chaps over at Privacy International have been up in arms about the fact that the Japanese Government is pulling the same trick.
Now, don't get me wrong. I fully recognise that there is a legitimate argument in favour of harnessing the power of IT (and especially databases) for the purposes of the greater good - specifically in this instance countering terrorism. I can even recognise that the requirements of national security might necessitate witholding organisational details of any programme set up for such a purpose. But others have said this before me - and far more eloquently. The whole point about fighting 'The War on Terror' (their words, not mine) is to protect our rights and liberties. But the palaver surrounding PNR data is a classic example of those rights and liberties being ridden roughshod over, if not trampled underfoot. The fundamental point is that the underlying policy that gives effect to PNR data programmes has to be subject to public consent. It has to be open to scrutiny and fully transparent and accountable. If it is not, it is utterly draconian and, in terms, permits 'the terrorist' to claim some form of victory. Bluntly, why should we expose ourselves to what amounts to unacceptable risk and inconvenience (in respect of the data about ourselves) without some say, however small, in the matter?
It is not as if the utility of PNR data is a given. As Privacy International point out in their letter to the Japanese Government, belated and limited scrutiny of the US-VISIT programme has revealed that, amongst other things:
  • "expenditures continue on projects that 'are not well-defined, planned, or justified on the basis of costs, benefits, and risks';

  • "'management controls to identify and evaluate computer and operational problems were insufficient and inconsistently administered';

  • "'contracts have not been effectively managed and overseen';

  • "security 'weaknesses collectively increase the risk that unauthorized individuals could read, copy, delete, add, and modify sensitive information, including personally identifiable information'; and

  • According to the chairman of the U.S. Senate Homeland Security Committee, Senator Joseph Lieberman, the U.S. government 'is spending $1.7 billion of taxpayer money on a program to detect potential terrorists crossing our borders yet it isn't taking the most basic precautions to keep them from hacking into and changing or deleting sensitive information.'"

Nor in fact is the output of PNR data programmes especially useful. As John Lettice points out - and I've no reason to doubt the figures - "out of 63 million visitors [subject to the US-VISIT programme] the DHS detected a whole 1,200 criminals and immigration violators. It is also thought that one person was detained in connection with terrorism, but it's not known what crime, if any, might have been involved, and what happened." In other words, so far as the primary purpose of the policy (i.e. countering terrorism) is concerned there is a 1 in 63 million chance that the system will throw up what might just, conceivably, be a positive and/or useful result. (As an aside, there is a read-across here to the UK Government's plans for ID cards as the total registrable population will be round about this sort of number. And, as I've blogged previously in the context of the IPS database, this raises the spectre of any PNR database - mark you, it would be pan-European rather than just being confined to the UK- being used as a substitute for the National Identity Register should ID cards be scrapped.) Now, I ask you, dear reader, whether you can discern any sort of proportionality in this sort of outcome?

All in all this sorry mess confirms for me beyond peradventure that I am right to be profoundly distrustful of letting the Government manage or administer my personal information in any way whatsoever. And I can't help feeling that it serves as a stark metaphor for so much that is wrong with the political process in our modern age. If governments are going to be so contemptuous and disdainful of its citizens and their legitimate rights as this sordid saga suggests, is it any wonder that they feel provoked to return the favour? Against the background of this sort of behaviour, purportedly acting in our 'democratic' interest, I say enough is enough and a plague on all your houses!!!

Footnote: A few days prior to the debate, the Admiral, in a written answer, referred to "travel document information" and "other passenger information" (with the acronyms "TDI" and "OPI" respectively) in the context of the UK's e-borders scheme. Now I've no idea whether these are an enitirely ne invention, equivalent to PNR data, or whatever. But it does seem like a classic way of muddying the waters by giving and old (but discredited) 'friend' a new nickname!